by Jay Stamps

[A slightly modified version of this article will appear in Speaking of Computers on January 12, 2005.]

• Did you know that - under certain circumstances - an 8-character perfectly random Microsoft Windows password consisting only of numbers and letters of the alphabet can be "cracked" in a few minutes using commercially available software?


• Did you know (based on various informal studies) that the seven most common passwords in English are: 1) no password at all, 2) sex, 3) love, 4) god, 5) secret, 6) money, and 7) password? People also commonly use their own computer account names as passwords, or the names of family members or pets.

Computer hackers certainly know these facts. Using a variety of advanced tools and techniques, hackers can more or less easily guess passwords that are based solely on combinations, inversions or other permutations of dictionary words (not just English words!) and numbers, common personal or place names - even random strings of characters - provided that the passwords are fairly short.

• So did you know that you can use phrases - which are longer than traditional passwords, easier to remember, and often easier to type - instead of old-fashioned passwords for Windows 2000 and Windows XP PCs, Macintoshes running Mac OS X 10.3 or higher (but not 10.2 and below), as well as for your SUNet ID?

As passwords become longer, they become exponentially more difficult to guess. If you were to use a 15-character password for example, even if vast computing power were applied to the problem of guessing it, on average, with existing methods and equipment, a hacker would need many years to discover it at last.

What about password complexity, which is another way of saying randomness? The randomness of your password depends on three related and quantifiable properties: the number of characters it contains (that is, its length), the size of the character set you employ (for example, upper- and lower-case letters of the English alphabet, numbers, punctuation marks, symbols), and the improbability of the order in which you combine those characters. An example of a very random 8-character password is 4(`S&zAp, while an example of a very non-random 8-character password is password.

The more random a password or pass phrase, the harder it is for anyone - including a password-cracking computer program - to guess.

Dictionary words consist by definition of highly probable orderings of alphabetic characters. When you set a password for your SUNet ID, for example, it is checked against a growing dictionary of English and non-English words and names - currently totaling 2.7 million - as well as a large number of possible transformations of those words, including certain combinations with numbers: If your proposed SUNet ID password doesn't meet stringent complexity requirements, it won't be accepted by the system.

As passwords become longer, however, the size of the character set that you choose from and the improbability of your ordering of individual characters begin to matter less. You can include dictionary words and still have a sufficiently complex password (or pass phrase) to ward off hackers and satisfy SUNet ID password complexity requirements - so long as you observe a few simple rules. A well-chosen, easily remembered 15-character pass phrase, in fact, is far more secure than a perfectly random, very unmemorable 8-character password.

Use Pass Phrases instead of Passwords!

For your Windows 2000 and XP user accounts, for your Mac OS X 10.3 and higher user accounts, and for your SUNet ID, consider changing your password to a pass phrase: The advice below is specific to Stanford and to these types of computer accounts. Not all operating systems and software applications support the use of longer pass phrases (for example, Windows 98 and Mac OS X 10.2 and below do not), or even the use of punctuation and special characters in conventional passwords.

• If you have local technical support personnel, please check with them before you follow any of these suggestions! For a variety of reasons - perhaps most important, the possibility of enforced Windows user account lockout policies - pass phrases may be a bad idea in certain environments.


• Longer is better! but only within limits. If you choose to switch from a password to a pass phrase, the pass phrase should be between 15 and 25 characters in length - no less, no more. (Spaces and other punctuation marks count as characters.)


• It must not be - or be a snippet from - a well-known phrase, slogan, expression, song lyric, quote from film or theater, or anything else obvious.


• Ideally your pass phrase should involve a uniquely exotic combination of words and names that's easy for you to remember, to type and to associate with a particular computer account, but that no one would be able to guess. Nonsense phrases - especially, according to psychological research, "shocking nonsense" - can be very easy to remember, but almost impossible for someone else to guess.


• One option is to base your pass phrase on some private fact, known only to you, and in your pass phrase to express that fact in a way that would be meaningful only to you. Do not, however, under any circumstances use identifying information like Social Security numbers, phone numbers, credit card numbers or birth dates: These data are often easily available to hackers. Be more creative, and be more obscure.


• Use digits, punctuation marks (including spaces, commas, periods, hyphens, slashes) and capitalization. That's right: You can and should use punctuation marks including spaces!


• Use intentional misspellings, bad grammar, and foreign or invented words.


• You can even use symbols or symbol substitutions, such as "$" for "S" or "@" for "a" - which are all but pointless in a short password, because hackers know about those substitutions, too. To avoid potential compatibility problems, you should use only symbols that are available on a standard US English computer keyboard.


• Just as with passwords, you should avoid committing your pass phrases to paper: Keep them in your head. Combined with their relative length, the ease with which a normal person can remember a short but unusual phrase - as opposed to a short combination of random letters, numbers and symbols - is the primary justification for preferring pass phrases. A well-chosen pass phrase will stick in your head at least as well as it would on a Post-It note on your computer monitor.

If you can't handle typing in a pass phrase with 15 characters or more, then you should continue using shorter, but still fairly random passwords. Pass phrases containing more than 25 characters are unwieldy to type, and for most people, with respect to computer security, they're overkill. There are always fixed limits for maximum pass phrase length, which vary widely among different operating systems, applications, and authentication protocol implementations; these limits are not always properly documented, if they're documented at all.

A length between 15 and 25 characters is a good, general-purpose range for the average computer account pass phrase - so long as you observe the other requirements and suggestions listed above.

The randomness in a pass phrase - the best measure of its security - comes not only from its length, of course, compared to a typical password, but also from your selection of words and how you combine them. To help you get a handle on the meaning of randomness in this context, here are some examples of good pass phrases (that you should never use yourselves, since they're now on the web for everyone to see!):

Pizza w/ krispy Spaniels
Aunt Bea's zip is 27030
en arche en ho Logos, pal
Baby's 1st word was foo
mangl3d persimmon th3rapy
raised on 33 Bleecker St.
Fluffy Mopokes (ouch)

If you're a reasonably fast typist, entering a 15-, 20- or 25-character pass phrase is no great burden. And if you're running Windows 2000, XP, or Mac OS X 10.3 or above, single sign-on permits you to use a single pass phrase to log in to your PC or Macintosh, to log in to PC-/MacLeland, and so to log in to various restricted resources on the Stanford web all at the same time, entering the pass phrase only once. For more information about single sign-on, please refer to the PC-Leland and MacLeland documentation available on the Stanford web.

Note that for single sign-on to work, your Windows or Mac OS X user name and pass phrase must match your SUNet ID and pass phrase exactly.

To change your SUNet ID password to a pass phrase, visit the StanfordYou web page.

For an excellent discussion of passwords and pass phrases on the Windows platform, see this series by Jesper Johansson, Microsoft's Security Program Manager:

http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint091004.mspx
http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx
http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint110104.mspx

Here's a more informal, but lively and interesting piece from Robert Hensing, one of Microsoft's senior PSS Security Incident Response team members:

http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx

Here's a link to a pass phrase generator by John Walker:

http://www.fourmilab.ch/javascrypt/pass_phrase.html

Microsoft Windows NT 4.0, 2000, XP and Server 2003 support 127-character Unicode pass phrases for local user accounts; Macintosh OS X 10.3 and above support 255-character ASCII pass phrases, while Macintosh OS X 10.2.8 and below truncate passwords longer than 8 ASCII characters; the Kerberos protocol supports 255-character ASCII pass phrases, but SUNet ID pass phrases over 40 characters in length may cause problems for certain applications.